Replace: Added HungerRush assertion under.
Clients of eating places utilizing the HungerRush point-of-sale (POS) platform say they obtained emails from a menace actor making an attempt to extort the corporate, warning that restaurant and buyer information could possibly be uncovered if HungerRush fails to reply.
HungerRush is a restaurant expertise supplier that provides point-of-sale (POS), on-line ordering, supply administration, and cost processing software program to assist eating places handle orders, buyer info, and enterprise operations.
The corporate claims to work with over 16,000 eating places, together with Sbarro, Jet’s Pizza, Fajita Pete’s, Hungry Howie’s, and lots of extra.
Extortion emails despatched to restaurant patrons
The attacker began sending the emails early Wednesday morning, with a number of recipients sharing samples with BleepingComputer.
The primary e mail was despatched from assist@hungerrush.com, prompting HungerRush to cease ignoring their extortion emails or it might put buyer information in danger.
“You cannot ignore all my requests and expect me not to take malicious actions. You still have time,” reads the e-mail.
“Every restaurant and customer of said restaurants’ data which is in the millions is in jeopardy here and I can’t even get a response back. Not to worry, there’s still time left.”
A second e mail, despatched three hours later from “2019@hungerrush.com,” escalates the menace, claiming that the attacker has entry to information information for thousands and thousands of shoppers that include names, emails, passwords, addresses, telephone numbers, dates of delivery, and bank card info.
Supply: BleepingComputer
BleepingComputer’s evaluation of the e-mail headers exhibits they have been delivered utilizing Twilio SendGrid, which clients have advised BleepingComputer was beforehand used to ship HungerRush restaurant receipts.
The emails have been despatched from o10.e.hungerrush.com (159.183.129.119), which resolves to infrastructure operated by Twilio SendGrid, a platform generally utilized by corporations to ship transactional and advertising emails.
The e-mail headers additionally affirm that the messages handed SPF, DKIM, and DMARC authentication checks for the hungerrush.com area, as the corporate’s SPF file, proven under, authorizes SendGrid to ship emails on their behalf.
v=spf1 embody:spf.safety.outlook.com embody:_spf.salesforce.com embody:mail.zendesk.com embody:_spf.psm.knowbe4.com embody:sendgrid.web embody:4750273.spf01.hubspotemail.web -allQuite a few folks on Reddit have reported receiving the emails, stating that previous digital receipts from eating places confirmed they used HungerRush’s ordering or POS techniques.
Alon Gal, co-founder and CTO of Hudson Rock, posted on LinkedIn that infostealer logs point out a HungerRush worker’s machine was allegedly contaminated with an infostealer in October 2025, resulting in the compromise of credentials.
In line with Gal, the malware stole quite a few company credentials, together with these for the corporate’s NetSuite, QuickBooks-related companies, Stripe dashboards, Invoice.com vendor cost techniques, Visa On-line business companies, and Salesforce environments.
It’s unclear if these stolen credentials are linked to the claimed breach at HungerRush.
In the meanwhile, clients of eating places utilizing the HungerRush POS system must be on alert for potential phishing emails and SMS texts that abuse the possibly stolen info.
HungerRush confirms breach
HungerRush confirmed to BleepingComputer that they’re conscious of the incident and have notified legislation enforcement.
“We are aware of the situation and are actively investigating in coordination with the appropriate authorities,” HungerRush advised BleepingComputer.
“Our teams are working quickly to understand the scope, address the issue, and implement any necessary remediation. Protecting our clients and their customers’ data is a top priority, and we are treating this matter with the utmost urgency.”
In a later replace, the corporate says that the incident is just not linked to the infostealer an infection seen by Alon Gal. As a substitute, HungerRush says the menace actor used a third-party vendor’s compromised credentials to breach its e mail advertising service account.
This allowed the menace actor to achieve entry to buyer contact info, which was used to ship the unauthorized emails.
“As a result, certain customer contact information (including names, email addresses, mailing addresses, and phone numbers) was accessed and used to send unauthorized email messages to certain merchants and consumers,” HungerRush advised BleepingComputer in an up to date assertion.
Nevertheless, HungerRush disputes the menace actor’s claims, stating that no delicate private or monetary info, resembling passwords, dates of delivery, Social Safety numbers, or cost card info, was uncovered within the breach.
HungerRush additionally famous that bank card information is just not saved inside its techniques.
Moreover, the corporate says there isn’t a proof that every other techniques have been compromised, with the breach restricted to the e-mail advertising service.
“As a precautionary measure, HungerRush disabled access to the affected email service to prevent additional unauthorized messages from being sent while the investigation continues,” the corporate mentioned.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
